Enide! my web project

Eduroam with OpenWRT

Introduction

How to configure your OpenWRT router to create a stand-alone solution to access your university's eduroam secured network and have a permanent connection to the internet. For my first attempt I used a LaF*nera router from FON but you can use any other router capable of running Linux OpenWRT .

The few things needed are:

  • a router capable of running OpenWRT such as a LaF*nera;
  • a computer with a serial port, or USB/Serial adapter, and a MAX232 level converter board to connect to the router (most max232 circuits will work at 3V)
  • some average linux knowledge on flashing firmwares and network configuration (read the wikis from DD-WRT or OpenWRT)
  • about an hour or so to configure everything

 

LaFonera ImageLaF*nera is a very small router with one ethernet and one wireless NIC. It comes preloaded with a special version of OpenWRT compiled by FON to create their Social Network which makes it perfect to experimentsince we know it runs OpenWRT. 

 

 

 

  

Download OpenWRT v7.09 from www.openwrt.org

You'll get two files: one with the root filesystem and the other with the kernel.

wget http://downloads.openwrt.org/kamikaze/7.09/atheros-2.6/openwrt-atheros-2.6-vmlinux.lzma
wget http://downloads.openwrt.org/kamikaze/7.09/atheros-2.6/openwrt-atheros-2.6-root.jffs2-64k

  

Connecting to the serial port

Disassemble the router by removing the two front rubber feet and screws with a small philips screwdriver.

Locate the serial port on the right and plug the serial cable.

Run your favorite terminal application on the PC. Minicom is a good choice! Configure the settings to:

  • baud: 9600
  • bits: 8N1
  • flow control: NONE

 

Now apply power to the router and the bootloader should appear after a few seconds! Press CTRL+C to stop the boot procedure.

 

Flashing the router via serial port (ymodem)

To load the new version of OpenWRT into the router follow these steps:

Change the baudrate to 115200 bits per second to speed things up:

RedBoot> baudrate -b 115200

Change the settings in your terminal program to 115200 too and then erase the flash and load the root filesystem into the ram via serial port:

RedBoot> fis init
RedBoot> load -r -v -b %{FREEMEMLO} rootfs -m ymodem

In the terminal program select the file openwrt-atheros-2.6-root.jffs2-64k to send via ymodem protocol and wait while it gets transfered.:

After the transfer completes, write it to the flash memory of the router:

RedBoot> fis create -f 0xA8030000 -l 0x006f0000 rootfs

Finally load the kernel file to ram (file openwrt-atheros-2.6-vmlinux.lzma) and then to its own partition in the flash memory:

RedBoot> load -r -v -b %{FREEMEMLO} vmlinux -m ymodem
RedBoot> fis create -r 0x80041000 -e 0x80041000 vmlinux.bin.l7

Reboot the router and let linux boot:

RedBoot> reset

More information on flashing a OpenWRT can be found at Fonera mit OLSR - Freifunk Hannover page.

 

Connecting linux to eduroam

Boot your new openwrt linux instalation and wait until you see the system prompt.

Now install the following packages:

  • wpa_supplicant - to connect to eduroam
  • hostapd-mini - to provide a private secure wireless network to you
  • zlib - dependency for one of the previous two.

You can use the following command:

ipkg install wpa_supplicant hostapd-mini zlib

 

Now lets move on to the configuration.

You'll need to disable the firewall but don't worry since your private network will be running behind NAT. It will provide some level of security.

/etc/init.d/firewall disable

 

Next, configure the dhcp in: /etc/config/dhcp

config dhcp
        option interface        lan
        option start    100
        option limit    150
        option leasetime        12h
config dhcp
        option interface        wan
        option ignore   1

The lan interface will be the one connected to the private network and the wan the one connected to eduroam.

 

Now configure the network interfaces in: /etc/config/network

# Copyright (C) 2006 OpenWrt.org
config interface loopback
        option ifname   lo
        option proto    static
        option ipaddr   127.0.0.1
        option netmask  255.0.0.0
config interface lan
        option ifname   eth0 ath0
        option type     bridge
        option proto    static
        option ipaddr   192.168.88.1
        option netmask  255.255.255.0
config interface wan
        option ifname   ath1
        option proto    dhcp

This example shows the private (lan) interface using ip addresses in the 192.168.88.0/24 range. Change it if you want but be careful not to select the same network range used in the eduroam network. If you look more careful you'll see that the lan interface is bridged with the eth0 which means that the ethernet cable of your F*n also gives you access to your private network. You should use this interface if any problems arise while configuring the router.

 

Give your F*nera OpenWRT a name: /etc/config/system

config system
        option hostname YourFonWRT

 

Next configure the wireless settings for both eduroam and your private network: /etc/config/wireless

 config wifi-device  wifi0
        option type     atheros
        #option channel  5
        option agmode    11bg
        option diversity 0
        option txantenna 1
        option rxantenna 1
 
        # REMOVE THIS LINE TO ENABLE WIFI:
        #option disabled 1
config wifi-iface
        option device   wifi0
        option network  lan
        option mode     ap
        option ssid     HomeNetName
        option encryption psk
        option key      homenetpasswd2008
config wifi-iface
        option device   wifi0
        option network  wan
        option mode     sta
        option ssid     eduroam
        #option ap       00:0E:84:AB:05:A0   # ap at the department of math UA
        option encryption none               # encryption is elsewhere

Lets check the first wifi-iface: it's for the private lan interface with ssid=HomeNetName, wpa-psk encryption, password homenetpasswd2008 and mode ap (access point to provide a network).
The second wifi-iface: it's the wan interface that connects to eduroam with ssid=eduroam (obviously), no encryption because it will be provided externally because of 802.1x authentication and mode sta (station means it simulate a network interface like a regular computer to connect to the desired network).

 

Encryption to the eduroam network is provided by wpa_supplicant that must be configured outside this file. wpa_supplicant will use 3 files:

  1. /config-wpa - the script that starts wpa_supplicant and configures the firewall;
  2. /etc/rc.d/S60config-wpa - a symbolic link to the file /config-wpa that starts the wpa_supplicant at boot time;
  3. /etc/wpa_supplicant.conf - the settings

Create the file /config-wpa with the following:

#!/bin/sh
iptables -t nat -A POSTROUTING -o ath1 -j MASQUERADE
/etc/init.d/wpa_supplicant start

It will configure NAT on the outgoing traffic to ath1 (the wan eduroam interface) and start wpa_supplicant when the router starts.

Create a symbolic link to /config-wpa in /etc/rc.d/ by typing the following in the console:

cd /etc/rc.d
ln -s /config-wpa S60config-wpa

And finally the wpa_supplicant settings in /etc/wpa_supplicant.conf

ctrl_interface=/var/run/wpa_supplicant
eapol_version=1
ap_scan=1
fast_reauth=1
network={
ssid="eduroam"
scan_ssid=1
key_mgmt=WPA-EAP
pairwise=TKIP
group=TKIP
eap=PEAP
phase2="auth=MSCHAPv2"
identity="a?????@ua.pt" # Replace with your username
password="xxxxxxxx" # Replace with your password
}

 Among other things you should check if the ssid is eduroam, key-mgmt is WPA-EAP, pairwise is TKIP and eap is PEAP. Your identity is your login name and your password... well you should know what it is! Also check if phase2 is MSCHAPv2.

 

To end this configuration only one thing remains to check: if the dnsmasq is configured to provide ip addresses to your lan private network. Remember the network range 192.168.88.0/24? Make sure no options outside this range are enabled in the config file. Here's my example:

# filter what we send upstream
domain-needed
bogus-priv
filterwin2k
localise-queries
# allow /etc/hosts and dhcp lookups via *.lan
local=/lan/
domain=lan
expand-hosts
no-negcache
resolv-file=/tmp/resolv.conf.auto
dhcp-authoritative
dhcp-leasefile=/tmp/dhcp.leases
# use /etc/ethers for static hosts; same format as --dhcp-host
# <hwaddr> <ipaddr>
read-ethers
# other useful options:
# default route(s): dhcp-option=3,192.168.1.1,192.168.1.2
# dns server(s): dhcp-option=6,192.168.1.1,192.168.1.2

Detailed information on how to manually connect to eduroam network can be found at glua wiki. 

To help you in this task I'm providing a zip file with all the files I changed and a small description of what needs to be configured in openwrt below.

Don't forget to reboot and change your root password from admin to something else!

Files

Zip with all the files edited at their places inside the filesystem

 

Reference sites 

There are plenty of wikis on the web that teach you how to change from the original firmware, here are some of the sites I visit from time to time:

  • www.dd-wrt.com - Home of DD-WRT an OpenWRT distribution with a very powerful GUI. Excellent for LaF*nera if you want to have features that are available only in high-end routers;
  • www.openwrt.org - Home of OpenWRT, the Linux distribution for routers and other embedded devices;
  • www.fonera.info - Information on hacking a F*nera.